The EU AI Act's entire compliance architecture hangs on one question: which risk tier does your AI system fall into? Answer it correctly and you know exactly which obligations apply. Answer it wrongly and you are either over-investing in conformity work you do not owe, or — far worse — running a system regulators treat as high-risk with none of the controls they expect. Everything downstream — documentation, oversight, registration, the conversation you have with your auditor — is determined here.
This article walks through the classification exercise as a practitioner does it: not the legal text, but the practical work of taking a real AI system in your organisation and deciding where it sits. It also clears up a timeline that shifted under most people in 2026.
Why classification is the first move
Before you draft a single page of technical documentation, stand up monitoring, or brief your Datenschutzbeauftragte, you classify. A minimal-risk system needs an inventory entry and little else. A high-risk system needs a risk management system, data governance, technical documentation, logging, human oversight, accuracy and robustness controls, and registration in the EU database. The difference in effort is genuinely an order of magnitude, and you cannot scope the work until you know the tier.
Most DACH mid-market companies are not running one AI system — they are running a spread of them, from production workflows to internal tooling to third-party SaaS with AI quietly embedded inside it. In our experience the first honest pass through that inventory almost always surfaces something nobody had on the list: a recruiting tool that scores candidates, a claims-triage model, an "analytics" feature in a procured platform that turns out to make decisions about people. Those are the systems that move you up a tier, and they are exactly the ones that hide.
The four risk levels, practically applied
The Act sorts AI into four bands — unacceptable, high, limited (transparency), and minimal — and the obligations escalate sharply as you climb.
Unacceptable risk: the bright line
The Act outright prohibits a defined set of practices under Article 5. The list is short, specific, and already in force: the prohibitions became applicable on 2 February 2025. They cover social scoring that leads to detrimental treatment in unrelated contexts; real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions); AI that exploits the vulnerabilities of people on the basis of age, disability, or socio-economic situation; emotion recognition in workplaces and educational institutions (outside medical or safety use); untargeted scraping of facial images from the internet or CCTV to build recognition databases; biometric categorisation that infers sensitive attributes such as race, political opinion, religion, or sexual orientation; and predictive policing based solely on profiling. The Commission has since published detailed guidelines on exactly how each prohibition is read.
The practical check: run your inventory against the list. Does any system infer employee emotion? Score customers on social behaviour into unrelated outcomes? Categorise people biometrically by a sensitive trait? For most DACH companies in insurance, manufacturing, financial services, or professional services this produces zero matches — but run the check, document the result, and note it for the file. The one that catches people is emotion recognition: a "sentiment" feature bolted onto a workforce or training tool can land here, and the prohibition carries the heaviest penalty band in the Act — up to €35 million or 7% of worldwide annual turnover.
High-risk: the heavyweight category
A system is high-risk by one of two routes. The first is Annex I: if the AI is a safety component of — or itself is — a product already covered by EU harmonised legislation that requires third-party conformity assessment (medical devices, machinery, lifts, radio equipment, and the like), it inherits high-risk status. The second is Annex III, which lists standalone use cases: biometric identification and categorisation; critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services including creditworthiness and insurance pricing; law enforcement; migration, asylum, and border control; and the administration of justice and democratic processes.
For DACH mid-market companies, Annex III is where the real exposure sits. If AI screens CVs, ranks candidates, scores interviews, or monitors employee performance, that is high-risk — including a procured HR platform with the capability embedded. If AI prices insurance risk, assesses claims eligibility, or determines coverage, high-risk. Credit scoring and loan-origination decisions, high-risk. AI managing energy grids, water, transport, or other critical infrastructure, high-risk. An internal tool that allocates work or feeds performance reviews can fall under the employment heading without anyone having labelled it "AI."
High-risk classification triggers the full obligation set: a risk management system, data and data-governance controls, technical documentation, automatic logging, transparency to deployers, human oversight, accuracy, robustness and cybersecurity, and registration in the EU database. Treat it as a project with an owner, not a checklist.
Limited risk: transparency is the obligation
Limited-risk systems carry transparency duties rather than conformity work. The triggers are narrow and clear: systems that interact directly with people, such as chatbots and virtual assistants, must make clear the person is dealing with a machine; emotion-recognition and biometric-categorisation systems, where they are not outright prohibited, must inform the people subject to them; and AI-generated or manipulated content — deepfakes, synthetic media, machine-written text published in the public interest — must be marked as artificially generated, in a machine-readable way.
The practical check: customer-facing chatbots, AI content generators, virtual assistants. The obligation is disclosure, not a documentation overhaul — but the disclosure has to be clear, timely, and accessible, and the content-labelling duty in particular has its own deadline (more on the calendar below).
Minimal risk: the default
Everything else, which in practice is most of what a Mittelstand runs: spam filters, recommendation engines, predictive text, AI-assisted search, and process automation that touches none of the categories above. The Act introduces no specific obligations here — though the DSGVO and general product-safety law still apply in full. Document classification, invoice processing, internal knowledge retrieval, manufacturing-process optimisation, supply-chain forecasting, and marketing analytics typically land here. Classify them explicitly anyway and keep the record; "we decided it was minimal, and here is why" is a defensible position, "we never looked" is not. For what this tiering means for mid-market specifically, see What the EU AI Act Means for Mittelstand Companies.
The classification trap: when deployers become providers
Here is where companies get caught. You deploy a third-party model through an API for a defined workflow. As a deployer your obligations are lighter. Then you fine-tune it on your own data, bolt on a classification layer, or point it at a purpose the provider never specified — and under Article 25 you can become the provider of a high-risk system. A substantial modification not foreseen in the original conformity assessment, or a change of intended purpose that pushes a system into high-risk territory, flips the role. The textbook example: repurposing a fraud-detection model to assess creditworthiness moves it into a different Annex III area, and the deployer who did the repurposing inherits the full provider obligation set.
The practical rule: record the intended purpose exactly as the provider states it. Where your use deviates, get a written assessment on whether you have crossed the provider threshold before you ship, not after. The cost of over-documenting is trivial next to the cost of discovering at audit that you have been operating as an unregistered provider of a high-risk system.
The timeline shifted — know which clock you are on
This is the part most classification guides written before mid-2026 get wrong. The prohibitions in Article 5 have applied since 2 February 2025 and became enforceable on 2 August 2025 — those are live today. The headline date for high-risk obligations was 2 August 2026. But in the Digital Omnibus on AI, EU lawmakers reached political agreement on 7 May 2026 to defer it: Annex III high-risk obligations move to 2 December 2027 (a sixteen-month postponement), and Annex I product-related high-risk obligations move to 2 August 2028. The transparency-labelling duty for AI-generated content lands on 2 December 2026.
Read this correctly. The deferral is breathing room, not a reprieve — and it is still provisional until formally adopted by Council and Parliament, so building to the original 2 August 2026 date remains the conservative call. Classification itself has no holiday: you cannot scope, budget, or defend anything until you know each system's tier, and the work behind a high-risk conformity assessment runs to months, not weeks. The extra time is for doing the work properly, not for postponing the question.
A classification workflow for your organisation
The process we run with clients is deliberately mechanical, because mechanical is auditable. Inventory every AI system first — and mean every: shadow AI, AI embedded in procured SaaS, pilots, and the "smart" feature in a tool nobody thinks of as AI. For each one, run the logic in order: does it match an Annex III use case, or is it a safety component of an Annex I product? If so, high-risk. Does it interact with people, generate content, or infer emotion? If so, limited risk. Otherwise, minimal. Then settle your role for each — provider or deployer — and ask explicitly whether you have modified the system or its intended purpose in a way that flips it under Article 25.
Document the reasoning, not just the verdict. When an auditor asks why a system is minimal risk, the answer has to reference the regulation, not a hunch. And review the whole register quarterly: new systems, new use cases, a model update, or a round of fine-tuning can all change a classification you settled six months ago.
What comes after classification
Classification is the starting line, not the finish. For minimal-risk systems, maintain the inventory and apply the DSGVO where it bites — done. For limited-risk systems, implement the disclosures and label AI-generated content against the 2 December 2026 date — done. For high-risk systems, the work begins: conformity-assessment preparation, technical documentation, risk management, data governance, human oversight, and monitoring, scoped against your real deadline under the Digital Omnibus. That is a project with an owner and a budget.
For the full compliance framework, see the EU AI Act Compliance Guide. To run a DPIA alongside your classification, see How to Run a DPIA for AI.
A Fit Call classifies your actual AI portfolio against the four tiers and Article 25 — so you scope the right compliance work, before an auditor scopes it for you.
References: EU AI Act, Article 5: Prohibited AI Practices; EU AI Act, Article 25: Responsibilities Along the AI Value Chain; EU AI Act, Article 99: Penalties; European Commission, "Regulatory framework on AI"; European Commission, "Guidelines on prohibited AI practices"; Travers Smith, "EU agrees to delay key AI Act compliance deadlines," 2026.